Вы находитесь на странице: 1из 12

They Can Hear Your Heartbeats: Non-Invasive Security for

Implantable Medical Devices


Shyamnath Gollakota Haitham Hassanieh Benjamin Ransford Dina Katabi Kevin Fu

Massachusetts Institute of Technology University of Massachusetts, Amherst
{gshyam, haithamh, dk}@mit.edu {ransford, kevinfu}@cs.umass.edu

ABSTRACT monitoring of patients vital signs and improved care providers


Wireless communication has become an intrinsic part of modern ability to deliver timely treatment, leading to a better health care
implantable medical devices (IMDs). Recent work, however, has system [31].
demonstrated that wireless connectivity can be exploited to com- Recent work, however, has shown that such wireless connectiv-
promise the confidentiality of IMDs transmitted data or to send ity can be exploited to compromise the confidentiality of the IMDs
unauthorized commands to IMDseven commands that cause the transmitted data or to send the IMD unauthorized commands
device to deliver an electric shock to the patient. The key challenge even commands that cause the IMD to deliver an electric shock to
in addressing these attacks stems from the difficulty of modifying the patient [21, 22]. In other systems, designers use cryptographic
or replacing already-implanted IMDs. Thus, in this paper, we ex- methods to provide confidentiality and prevent unauthorized ac-
plore the feasibility of protecting an implantable device from such cess. However, adding cryptography directly to IMDs themselves
attacks without modifying the device itself. We present a physical- is difficult for the following reasons:
layer solution that delegates the security of an IMD to a personal Inalterability: In the U.S. alone, there are millions of people who
base station called the shield. The shield uses a novel radio design already have wireless IMDs, and about 300,000 such IMDs are
that can act as a jammer-cum-receiver. This design allows it to jam implanted every year [58]. Once implanted, an IMD can last up to
the IMDs messages, preventing others from decoding them while 10 years [14], and replacing it requires surgery that carries risks
being able to decode them itself. It also allows the shield to jam of major complications. Incorporating cryptographic mechanims
unauthorized commandseven those that try to alter the shields into existing IMDs may be infeasible because of limited device
own transmissions. We implement our design in a software radio memory and hence can only be achieved by replacing the IMDs.
and evaluate it with commercial IMDs. We find that it effectively This is not an option for people who have IMDs or may acquire
provides confidentiality for private data and protects the IMD from them in the near future.
unauthorized commands. Safety: It is crucial to ensure that health care professionals al-
Categories and Subject Descriptors C.2.2 [Computer ways have immediate access to an implanted device. However, if
Systems Organization]: Computer-Communications Networks cryptographic methods are embedded in the IMD itself, the de-
vice may deny a health care provider access unless she has the
General Terms Algorithms, Design, Performance, Security right credentials. Yet, credentials might not be available in sce-
Keywords Full-duplex, Implanted Medical Devices, Wireless narios where the patient is at a different hospital, the patient is
unconscious, or the cryptographic key storage is damaged or un-
reachable [22, 31]. Inability to temporarily adjust or disable an
IMD could prove fatal in emergency situations.1
1. INTRODUCTION Maintainability: Software bugs are particularly problematic for
The past few years have produced innovative health-oriented net- IMDs because they can lead to device recalls. In the last eight
working and wireless communication technologies, ranging from years, about 1.5 million software-based medical devices were re-
low-power medical radios that harvest body energy [27] to wireless called [15]. Between 1999 and 2005, the number of recalls of
sensor networks for in-home monitoring and diagnosis [51, 55]. To- software-based medical devices more than doubled; more than
day, such wireless systems have become an intrinsic part of many 11% of all medical-device recalls during this time period were
modern medical devices [39]. In particular, implantable medical attributed to software failures [15]. Such recalls are costly and
devices (IMDs), including pacemakers, cardiac defibrillators, in- could require surgery if the model is already implanted. Thus, it
sulin pumps, and neurostimulators all feature wireless communica- is desirable to limit IMDs software to only medically necessary
tion [39]. Adding wireless connectivity to IMDs has enabled remote functions.
This paper explores the feasibility of protecting IMDs without
modifying them by implementing security mechanisms entirely on
Permission to make digital or hard copies of all or part of this work for an external device. Such an approach enhances the security of IMDs
personal or classroom use is granted without fee provided that copies are for patients who already have them, empowers medical personnel
not made or distributed for profit or commercial advantage and that copies to access a protected IMD by removing the external device or pow-
bear this notice and the full citation on the first page. To copy otherwise, to ering it off, and does not in itself increase the risk of IMD recalls.
republish, to post on servers or to redistribute to lists, requires prior specific
1
permission and/or a fee. Note that distributing the credentials widely beyond the patients primary health care
SIGCOMM11, August 1519, 2011, Toronto, Ontario, Canada. providers increases the probability of the key being leaked and presents a major key
Copyright 2011 ACM 978-1-4503-0797-0/11/08 ...$10.00. revocation problem.
We present a design in which an external device, called the diac resynchronization therapy device (CRT) [36]. Our evaluation
shield, is interposed between the IMD and potential counter- reveals the following:
partiese.g., worn on the body near an implanted device. The
When the shield is present, it jams the IMDs messages, causing
shield acts as a gateway that relays messages between the IMD and
even nearby (20 cm away) eavesdroppers to experience a bit error
authorized endpoints. It uses a novel physical-layer mechanism to
rate of nearly 50%, which is no better than a random guess.
secure its communication with the IMD, and it uses a standard cryp-
When the shield jams the IMDs packets, it can still reliably de-
tographic channel to communicate with other authorized endpoints.
code them (the packet loss rate is 0.2%, which is negligible). We
The shield counters two classes of adversarial actions: passive
conclude that the shield and the IMD share an information chan-
eavesdropping that threatens the confidentiality of the IMDs trans-
nel that is inaccessible to other parties.
missions, and active transmission of unauthorized radio commands
When the shield is absent, the IMD replies to unauthorized com-
to the IMD. First, to provide confidentiality for the IMDs trans-
mands, even if the adversary is in a non-line-of-sight location
missions, the shield continuously listens for those transmissions
more than 14 m away, and uses a commercial device that oper-
and jams them so that they cannot be decoded by eavesdroppers.
ates in the MICS band and adheres to the FCC power limit.
The shield uses a novel radio design to simultaneously receive the
When the shield is present and has the same transmit power as the
IMDs signal and transmit a jamming signal. The shield then trans-
adversary, the IMD does not respond to unauthorized commands,
mits the IMDs signal to an authorized endpoint using standard
even when the adversary is only 20 cm away.
cryptographic techniques. Second, to protect the IMD against com-
When the shield is absent and an adversary with 100 times the
mands from unauthorized endpoints, the shield listens for unautho-
shields power transmits unauthorized commands, the IMD re-
rized transmissions addressing the IMD and jams them. As a result
sponds from distances as large as 27 m. When the shield is
of jamming, the IMD cannot decode the adversarial transmissions,
present, however, the high-powered adversarys attempts suc-
and hence the adversary fails to make the IMD execute an unautho-
ceed only from distances less than 5 m, and only in line-of-
rized command.
sight locations. The shield always detects high-powered adver-
A key challenge that we had to overcome to realize this architec-
sarial transmissions and raises an alarm. We conclude that suf-
ture is to design a small wearable radio that simultaneously jams
ficiently high-powered adversaries present an intrinsic limita-
the IMDs signal and receives it. We build on prior work in the
tion to our physical-layer protection mechanism. However, the
area of full-duplex radio design, which enables a single node to
shields presence reduces the adversarys success range and in-
transmit and receive simultaneously [3, 7]. However, prior work re-
forms the patient, raising the bar for the adversarys attempts.
quires large antenna separation and hence yields large devices un-
suitable for our application. In particular, state-of-the-art design for The shield is, to our knowledge, the first system that simultane-
full-duplex radios [3] exploits the property that a signal reverses its ously provides confidentiality for IMDs transmissions and protects
phase every half a wavelength; it transmits the same signal from IMDs against commands from unauthorized parties without requir-
two antennas and puts a receive antenna exactly half a wavelength ing any modification to the IMDs themselves. Further, because it
closer to one of the transmit antennas than the other. An antenna affords physical-layer protection, it may also help provide a com-
separation of half a wavelength, however, is unsuitable for our con- plementary defense-in-depth solution to devices that feature cryp-
text: the IMDs we consider operate in the 400 MHz band [13] with tographic or other application-layer protection mechanisms.
a wavelength of about 75 cm. A shield that requires the antennas to
be rigidly separated by exactly half a wavelength (37.5 cm) chal- Disclaimer. Operating a jamming device has legal implications that
lenges the notion of wearability and therefore patient acceptability. vary by jurisdiction and frequency band. The definition of jamming
This paper presents a full-duplex radio that does not impose re- also depends on both context and intent. Our experiments were con-
strictions on antenna separation or positioning, and hence can be ducted in tightly controlled environments where no patients were
built as a small wearable device. Our design uses two antennas: a present. Further, the intent of a shield is never to interfere with com-
jamming antenna and a receive antenna, placed next to each other. munications that do not involve its protected IMD. We recommend
The jamming antenna transmits a random signal to prevent eaves- that anyone considering deployment of technology based on this
droppers from decoding the IMDs transmissions. However, instead research consult with their own legal counsel.
of relying on a particular positioning to cancel the jamming signal
at the receive antenna, we connect the receive antenna simultane- 2. IMD COMMUNICATION PRIMER
ously to both a transmit and a receive chain. We then make the Wireless communication appears in a wide range of IMDs, in-
transmit chain send an antidote signal that cancels the jamming cluding those that treat heart failure, diabetes, and Parkinsons dis-
signal at the receive antennas front end, allowing it to receive the ease. Older models communicated in the 175 KHz band [22]. How-
IMDs signal and decode it. We show both analytically and em- ever, in 1999, the FCC set aside the 402405 MHz band for medical
pirically that our design delivers its security goals without antenna implant communication services (MICS) [13]. The MICS band was
separation; hence it can be built as a small wearable radio. considered well suited for IMDs because of its international avail-
Our design has additional desirable features. Specifically, be- ability for this purpose [10], its signal propagation characteristics
cause the shield can receive while jamming, it can detect adver- in the human body, and its range of several meters that allows re-
saries who try to alter the shields signal to convey unauthorized mote monitoring. Modern IMDs communicate medical information
messages to the IMD. It can also ensure that it stops jamming the in the MICS band, though devices may use other bands for activa-
medium when an adversarial signal ends, allowing legitimate de- tion (e.g., 2.4 GHz or 175 KHz) [45]. IMDs share the MICS band
vices to communicate. with meteorological systems on a secondary basis and should en-
We have implemented a prototype of our design on USRP2 soft- sure that their usage of it does not interfere with these systems. The
ware radios [9]. We use 400 MHz daughterboards for compatibil- FCC divides the MICS band into multiple channels of 300 KHz
ity with the 402405 MHz Medical Implant Communication Ser- width [13]. A pair of communicating devices uses one of these
vices (MICS) band used by IMDs [13]. We evaluate our prototype channels.
shield against two modern IMDs, namely the Medtronic Virtuoso IMDs typically communicate infrequently with a device called
implantable cardiac defibrillator (ICD) [37] and the Concerto car- an IMD programmer (hereafter, programmer). The programmer ini-
tiates a session with the IMD during which it either queries the IMD Chapter 1 in [26] and Chapter 7 in [53]). The IMDs we con-
for its data (e.g., patient name, ECG signal) or sends it commands sider operate in the 400 MHz band with a wavelength of about
(e.g., a treatment modification). By FCC requirement, the IMD does 75 cm. Thus, one can defend against a MIMO eavesdropper or
not normally initiate communications; it transmits only in response an eavesdropper with a directional antenna by ensuring that the
to a transmission from a programmer [13] or if it detects a life- shield is located significantly less than half a wavelength from
threatening condition [23]. the IMD. For example, if the protected IMD is a pacemaker im-
A programmer and an IMD share the medium with other de- planted near the clavicle, the shield may be implemented as a
vices as follows [13]. Before they can use a 300 KHz channel for necklace or a brooch, allowing it to sit within a few centimeters
their session, they must listen for a minimum of 10 ms to ensure of the IMD.
that the channel is unoccupied. Once they find an unoccupied chan- The adversary may be in any location farther away from the IMD
nel, they establish a session and alternate between the programmer than the shield (e.g., at distances 20 cm and greater).
transmitting a query or command, and the IMD responding immedi-
ately without sensing the medium [24]. The programmer and IMD (b) Active adversary: Such an adversary sends unauthorized ra-
can keep using the channel until the end of their session, or un- dio commands to the IMD. These commands may be intended to
til they encounter persistent interference, in which case they listen modify the IMDs configuration or to trigger the IMD to transmit
again to find an unoccupied channel. unnecessarily, depleting its battery. We allow this adversary the fol-
lowing properties:
3. ASSUMPTIONS AND THREAT MODEL The adversary may use one of the following approaches to send
commands: it may generate its own unauthorized messages; it
3.1 Assumptions may record prior messages from other sources and play them
We assume that IMDs and authorized programmers are honest back to the IMD; or it may try to alter an authorized message on
and follow the protocols specified by the FCC and their manu- the channel, for example, by transmitting at a higher power and
facturers. We also assume the availability of a secure channel for causing a capture effect at the IMD [46].
transmissions between authorized programmers and the shield; this The adversary may use different types of hardware. The adver-
channel may use the MICS band or other bands. We further assume sary may transmit with a commercial IMD programmer acquired
that the shield is a wearable device located close to the IMD, such as from a hospital or elsewhere. Such an approach does not require
a necklace. Wearable medical devices are common in the medical the adversary to know the technical specifications of the IMDs
industry [34, 49]. We also assume that the adversary does not phys- communication or to reverse-engineer its protocol. However, an
ically try to remove the shield or damage it. We assume that legiti- adversary that simply uses an unmodified commercial IMD pro-
mate messages sent to an IMD have a checksum and that the IMD grammer cannot use a transmit power higher than that allowed
will discard any message that fails the checksum test. This latter by the FCC. Alternatively, a more sophisticated adversary might
assumption is satisfied by all wireless protocols that we are aware reverse-engineer the IMDs communication protocol, then mod-
of, including the ones used by the IMDs we tested (9). Finally, ify the IMD programmers hardware or use his own radio trans-
we assume that the IMD does not normally initiate transmissions mitter to send commands. In this case, the adversary can cus-
(in accordance with FCC rules [13]); if the IMD initiates a trans- tomize the hardware to transmit at a higher power than the FCC
mission because it detects a life-threatening condition, we make no allows. Further, the adversary may use MIMO or directional an-
attempt to protect the confidentiality of that transmission. tennas. Analogous to the above, however, MIMO beamforming
and directional antennas require the two receivers to be separated
3.2 Threat Model by a minimum of half a wavelength (37 cm in the MICS band),
We address two classes of commonly considered radio-equipped and hence can be countered by keeping the shield in close prox-
adversaries: passive eavesdroppers that threaten the confidentiality imity to the IMD.
of the IMDs transmissions, and active adversaries that attempt to The adversary may be in any location farther away from the IMD
send unauthorized radio commands to the IMD [15, 32]. than the shield.
(a) Passive eavesdropper: Such an adversary eavesdrops on the
wireless medium and listens for an IMDs transmissions. Specifi-
4. SYSTEM OVERVIEW
cally, we consider an adversary with the following properties: To achieve our design goal of protecting an IMD without modi-
fying it, we design a device called the shield that sits near the IMD
The adversary may try different decoding strategies. It may con- and acts as a proxy. An authorized programmer that wants to com-
sider the jamming signal as noise and try to decode in the pres- municate with the IMD instead exchanges its messages with the
ence of jamming. Alternatively, it can implement interference shield, which relays them to the IMD and sends back the IMDs re-
cancellation or joint decoding in an attempt to simultaneously de- sponses, as shown in Fig. 1. We assume the existence of an authen-
code the jamming signal and the IMDs transmission. However, ticated, encrypted channel between the shield and the programmer.
basic results in multi-user information theory show that decod- This channel can be established using either in-band [19] or out-of-
ing multiple signals is impossible if the total information rate is band solutions [28].
outside the capacity region [53]. We ensure that the information The shield actively prevents any device other than itself from
rate at the eavesdropper exceeds the capacity region by making communicating directly with the IMD. It does so by jamming mes-
the shield jam at an excessively high rate; the jamming signal is sages sent to and from the IMD. Key to the shields role is its ability
random and sent without modulation or coding. to act as a jammer-cum-receiver, which enables it to jam the IMDs
The adversary may use standard or custom-built equipment. It transmissions and prevent others from decoding them, while still
may also use MIMO systems and directional antennas to try to being able to decode them itself. It also enables the shield to de-
separate the jamming signal from the IMDs signal. MIMO and tect scenarios in which an adversary tries to overpower the shields
directional antenna techniques, however, require the two trans- own transmissions to create a capture effect on the IMD and de-
mitters to be separated by more than half a wavelength (see liver an unauthorized message. By proxying IMD communications
and an antidote x(t) on its receive antenna, the shield can receive
signals transmitted by other nodes while jamming the medium.
Next, we show that the antidote cancels the jamming signal only
at the shields receive antenna, and no other location. Let Hjaml
and Hrecl be the channels from the shields jamming and receive
antennas, respectively, to the adversarys location l. An antenna po-
Encrypted Communication sitioned at l receives the combined signal:
IMD Shield Programmer
Figure 1Protecting an IMD without modifying it: The shield y(t) = Hjaml j(t) + Hrecl x(t) (3)
jams any direct communication with the IMD. An authorized pro-
grammer communicates with the IMD only through the shield, with = (Hjaml Hrecl
Hjamrec
)j(t). (4)
which it establishes a secure channel. Hself

For the jamming signal to be cancelled out at location l, the follow-


Jamming Signal
ing must be satisfied:
Antidote Signal
b Hjaml Hjamrec
x(t) a j(t)
= . (5)
Hrecl Hself
Baseband to Baseband to Baseband to
Transmit Chain
n

Transmit Chain
n
eive Chain
n

Passband Passband Passband


Locating the shields two antennas very close to each other ensures
Shield
ADC DAC DAC that at any location l the attenuation from the two antennas is com-
Rece

H
parable, i.e., | Hjaml
recl
| 1 (see Chapter 7 in [53] for a detailed anal-
H
Decoder Encoder Encoder ysis). In contrast, | jamrec
Hself
| 1; |Hself | is the attenuation on the
short wire between the transmit and receive chains in the receive
Figure 2The jammer-cum-receiver design uses two antennas: antenna, which is significantly less than the attenuation between
a jamming antenna that transmits the jamming signal, and a receive
antenna. The receive antenna is connected to both a transmit and the two antennas that additionally have to go on the air [17]. For
H
receive chain. The antidote signal is transmitted from the transmit example, in our USRP2 prototype, the ratio | jamrec Hself
| 27 dB.
chain to cancel out the jamming signal in the receive chain. Thus, the above condition is physically infeasible, and cancelling
without requiring patients to interact directly with the shield, our the jamming signal at the shields receive antenna does not cancel
design aligns with IMD industry trends toward wireless, time- and it at any other location.
location-independent patient monitoring. We note several ancillary properties of our design:
The next sections explain the jammer-cum-receivers design, im-
plementation, and use against passive and active adversaries. Transmit and receive chains connected to the same antenna: Off-
the-shelf radios such as the USRP [9] have both a receive and a
transmit chain connected to the same antenna; they can in prin-
5. JAMMER-CUM-RECEIVER ciple transmit and receive simultaneously on the same antenna.
A jammer-cum-receiver naturally needs to transmit and receive Traditional systems cannot exploit this property, however, be-
simultaneously. This section presents a design for such a full- cause the transmit signal overpowers the receive chain, prevent-
duplex radio. Our design has two key features: First, it imposes no ing the antenna from decoding any signal but its own transmis-
size restrictions and hence can be built as a small wearable device. sion. When the jamming signal and the antidote signal cancel
Second, it cancels the jamming signal only at the devices receive each other, the interference is cancelled and the antenna can re-
antenna and at no other point in spacea necessary requirement ceive from other nodes while transmitting.
for our application. Antenna cancellation vs. analog and digital cancellation: Can-
Our design, shown in Fig. 2, uses two antennas: a jamming an- celling the jamming signal with an antidote is a form of an-
tenna and a receive antenna. The jamming antenna transmits a ran- tenna cancellation. Thus, as in the antenna cancellation scheme
dom jamming signal. The receive antenna is simultaneously con- by Choi et al. [3], one can improve performance using hardware
nected to both a transmit and a receive chain. The transmit chain components such as analog cancelers [43]. In this case, the input
sends an antidote signal that cancels the jamming signal at the re- to the analog canceler will be taken from points a and b in Fig. 2;
ceive antennas front end, allowing the receive antenna to receive the output will be fed to the passband filter in the receive chain.
any signal without disruption from its own jamming signal. Channel estimation: Computing the antidote in equation 2 re-
The antidote signal can be computed as follows. Let j(t) be the quires knowing the channels Hself and Hjamrec . The shield esti-
jamming signal and x(t) be the antidote. Let Hself be the self- mates these channels using two methods. First, during a session
looping channel on the receive antenna (i.e., the channel from with the IMD, the shield measures the channels immediately be-
the transmit chain to the receive chain on the same antenna) and fore it transmits to the IMD or jams the IMDs transmission.
Hjamrec the channel from the jamming antenna to the receive an- In the absence of an IMD session the shield periodically (ev-
tenna. The signal received by the shields receive antenna is: ery 200 ms in our prototype) estimates this channel by sending a
y(t) = Hjamrec j(t) + Hself x(t). (1) probe. Since the shields two antennas are close to each other, the
probe can be sent at a low power to allow other nodes to leverage
To cancel the jamming signal at the receive antenna, the antidote spatial reuse to concurrently access the medium.
must satisfy: Wideband channels: Our discussion has been focused on narrow-
Hjamrec band channels. However, the same description can be extended
x(t) = j(t). (2) to work with wideband channels which exhibit multipath effects.
Hself
Specifically, such channels use OFDM, which divides the band-
Thus, by transmitting a random signal j(t) on its jamming antenna width into orthogonal subcarriers and treats each of the subcarri-
Virtuoso ICD Power Profile
(a) Without jamming

-150 -100 -50 0 50 100 150


Frequency (kHz)
Figure 4The frequency profile of the FSK signal captured
from a Virtuoso cardiac defibrillator shows that most of the en-
ergy is concentrated around 50 KHz.

IMD Power Profile

Jamming Power Profile


(b) With jamming Constant Power Profile
Shaped Power Profile
Figure 3Typical interaction between the Virtuoso IMD and
its programmer: Without jamming (a), the IMD transmits in re-
sponse to an interrogation. The bottom graph (b) shows that the
IMD transmits within a fixed interval without sensing the medium.

ers as if it was an independent narrowband channel. Our model


naturally fits in this context.2
-150 -100 -50 0 50 100 150
6. VERSUS PASSIVE EAVESDROPPERS Frequency (kHz)

To preserve the confidentiality of an IMDs transmissions, the Figure 5Shaping the jamming signals profile to match an
shield jams the IMDs signal on the channel. Since the wireless IMDs allows the shield to focus its jamming power on the fre-
quencies that matter for decoding, as opposed to jamming across
channel creates linear combinations of concurrently transmitted the entire 300 KHz channel.
signals, jamming with a random signal provides a form of one-time
pad, where only entities that know the jamming signal can decrypt
While jamming, the shield receives the signal on the medium using
the IMDs data [50]. The shield leverages its knowledge of the jam- its receive antenna. The shield jams for (T2 T1 ) + P milliseconds.
ming signal and its jammer-cum-receiver capability to receive the Additionally, to deal with scenarios in which the IMD may trans-
IMDs data in the presence of jamming. mit in response to an unauthorized message, the shield uses its abil-
To realize our design goal, the shield must ensure that it jams ev- ity to detect active adversaries that might succeed at delivering a
ery packet transmitted by the IMD. To this end, the shield leverages
message to the IMD (see 7(d)). Whenever such an adversary is
two properties of MICS-band IMD communications [13, 24]:
detected, the shield uses the same algorithm above, as if the mes-
An IMD does not transmit except in a response to a message sage were sent to the IMD by the shield itself.
from a programmer. The shield can listen for programmer trans- We note that each shield should calibrate the above parameters
missions and anticipate when the IMD may start transmitting. for its own IMD. In particular, for the IMDs tested in this paper, the
An IMD transmits in response to a message from a programmer above parameters are as follows: T1 = 2.8 ms, T2 = 3.7 ms, and
without sensing the medium. This allows the shield to bound the P = 21 ms.
interval during which the IMD replies after receiving a message. Our design of the shield sets three sub-goals:
(a) Maximize jamming efficiency for a given power budget: It
Fig. 3 shows an example exchange between a Medtronic Virtu- is important to match the frequency profile of the jamming signal
oso implantable cardiac defibrillator (ICD) and a programmer (in to the frequency profile of the jammed signal [30]. To understand
this case, a USRP). Fig. 3(a) shows that the Virtuoso transmits in this issue, consider the example of the Virtuoso cardiac defibrilla-
response to a programmers message after a fixed interval (3.5 ms). tor. This device operates over a channel bandwidth of 300 KHz.
To check that the Virtuoso indeed does not sense the medium, we However, it uses FSK modulation where a 0 bit is transmitted at
made the programmer USRP transmit a message to the Virtuoso and one frequency f0 and a 1 bit is transmitted at a different frequency
within 1 ms transmit another random message. Fig. 3(b) plots the f1 . Fig. 4 shows the frequency profile of the FSK signal captured
resulting signal and shows that the Virtuoso still transmitted after from a Virtuoso cardiac defibrillator. A jammer might create a jam-
the same fixed interval even though the medium was occupied. ming signal over the entire 300 KHz. However, since the frequency-
Given the above properties, the shield uses the following algo- domain representation of the received FSK signal has most of its
rithm to jam the IMDs transmissions. Let T1 and T2 be the lower energy concentrated around f0 and f1 , an adversary can eliminate
and upper bounds on the time that the IMD takes to respond to a most of the jamming signal by applying two band-pass filters cen-
message, and let P be the IMDs maximum packet duration. When- tered on f0 and f1 .
ever the shield sends a message to the IMD, it starts jamming the Therefore, an effective jammer should consider the structure of
medium exactly T1 milliseconds after the end of its transmission. the IMDs signal when crafting the jamming signal, shaping the
2 amount of energy it puts in each frequency according to the fre-
More generally, one could compute the multi-path channel and apply an equal-
izer [18] on the time-domain antidote signal that inverts the multi-path of the jamming quency profile of the IMD signal. Fig. 5 compares the power profile
signal. of a jamming signal that is shaped to fit the signal in Fig. 4 and an
oblivious jamming signal that uses a constant power profile. The the BER at the adversary while maintaining a low BER at the shield,
figure shows that the shaped signal has increased jamming power one needs to increase G, which is the amount of jamming power
in frequencies that matter for decoding. cancelled at the shields receive antenna. We refer to G as the SINR
To shape its jamming signal appropriately, the shield generates gap between the shield and the adversary.
the jamming signal by taking multiple random white Gaussian We show in 10.1 that for the tested IMDs, an SINR gap of
noise signals and assigning each of them to a particular frequency G = 32 dB suffices to provide a BER of nearly 50% at the adver-
bin in the 300 KHz MICS channel. The shield sets the variance of sary (reducing the adversary to guessing) while maintaining reliable
the white Gaussian noise in each frequency bin to match the power packet delivery at the shield.
profile resulting from the IMDs FSK modulation in that frequency
bin. We then take the IFFT of all the Gaussian signals to generate
the time-domain jamming signal. This process generates a random
7. VERSUS ACTIVE ADVERSARIES
jamming signal that has a power profile similar to the power pro- Next, we explain our approach for countering active adversaries.
file generated by IMD modulation. The shield scales the amplitude At a high level, the shield detects unauthorized packets and jams
of the jamming signal to match its hardwares power budget. The them. The jamming signal combines linearly with the unauthorized
shield also compensates for any carrier frequency offset between its signal, causing random bit flips during decoding. The IMD ignores
RF chain and that of the IMD. these packets because they fail its checksum test.
The exact active jamming algorithm follows. Let Sid be an identi-
(b) Ensure independence of eavesdropper location: To ensure fying sequence, i.e., a sequence of m bits that is always used to iden-
confidentiality, the shield must maintain a high bit error rate (BER) tify packets destined to the IMD. Sid includes the packets physical-
at the adversary, independent of the adversarys location. The layer preamble and the subsequent header. When the shield is not
BER at the adversary, however, strictly depends on its signal-to- transmitting, it constantly monitors the medium. If it detects a sig-
interference-and-noise ratio, SINRA [17]. To show that the BER at nal on the medium, it proceeds to decode it. For each newly decoded
the adversary is independent of its location, we show that the SINR bit, the shield checks the last m decoded bits against the identifying
at the adversary is independent of its location. sequence Sid . If the two sequences differ by fewer than a thresh-
Suppose the IMD transmits its signal at a power Pi dB and the old number of bits, bthresh , the shield jams the signal until the signal
shield transmits the jamming signal at a power Pj dB. The IMDs stops and the medium becomes idle again.
signal and the jamming signal will experience a pathloss to the ad- The shield also uses its receive antenna to monitor the medium
versary of Li and Lj , respectively. Thus, the SINR at the adversary while transmitting. However, in this case, if it detects a signal con-
can be written in dB as: current to its transmission, it switches from transmission to jam-
SINRA = (Pi Li ) (Pj Lj ) NA , (6) ming and continues jamming until the medium becomes idle again.
The reason the shield jams any concurrent signal without checking
where NA is the noise in the adversarys hardware. Since equation 6 for Sid is to ensure that an adversary cannot successfully alter the
is written in a logarithmic scale, the pathlosses translate into sub- shields own message on the channel in order to send an unautho-
tractions. rized message to the IMD.
The pathloss from the IMD to the adversary can be expressed We note five subtle design points:
as the sum of the pathloss that the IMDs signal experiences in the
body and on the air, i.e., Li = Lbody + Lair [39]. Since the shield and (a) Choosing identifying sequences: Our algorithm relies on the
the IMD are close together, the pathlosses they experience on the air identifying sequence Sid in order to identify transmissions destined
to the adversary are approximately the samei.e., Lair Lj [53]. for the protected IMD. We therefore desire a method of choosing a
Thus, we can rewrite equation 6 as: per-device Sid based on unique device characteristics. Fortunately,
IMDs already bear unique identifying characteristics. For example,
SINRA = (Pi Lbody ) Pj NA . (7) the Medtronic IMDs that we tested (the Virtuoso ICD and the Con-
certo CRT) use FSK modulation, a known preamble, a header, and
The above equation shows that SINRA is independent of the adver-
the devices ID, i.e., its 10-byte serial number. More generally, each
sarys location and can be controlled by setting the jamming power
wireless device has an FCC ID, which allows the designer to look
Pj to an appropriate value. This directly implies that the BER at the
up the device in the FCC database and verify its modulation, cod-
adversary is independent of its location.
ing, frequency and power profile [12].3 One can use these specifica-
(c) SINR tradeoff between the shield and the adversary: Sim- tions to choose an appropriate identifying sequence. Furthermore,
ilarly to how we computed the SINR of an eavesdropper, we can once in a session, the IMD locks on to a unique channel, to receive
compute the SINR of the shield (in dB) as: any future commands. Since other IMDprogrammer pairs avoid
SINRS = (Pi Lbody ) (Pj G) NG , (8) occupied channels, this channel ID can be used to further specify
the target IMD.
where NG is the thermal noise on the shield and G is the reduction in (b) Setting the threshold bthresh : If an adversary can transmit a sig-
the jamming signal power at the receive antenna due to the antidote. nal and force the shield to experience a bit error rate higher than
The above equation simply states that SINRS is the IMD power the IMDs, it may prevent the shield from jamming an unautho-
after subtracting the pathloss due mainly to in-body propagation, rized command that the IMD successfully decodes and executes.
the residual of the jamming power (Pj G), and the noise. However, we argue that such adversarial success is unlikely, for
Note that if one ignores the noise on the shields receive an- two reasons. First, because the signal goes through body tissue, the
tenna and the adversarys device (which are negligible in compar- IMD experiences an additional pathloss that could be as high as
ison to the other terms), one can express the relation between the 40 dB [47], and hence it naturally experiences a much weaker signal
two SINRs using a simple equation: than the shield. Second, the IMD uses a harder constraint to accept
SINRS = SINRA + G. (9) a packet than the constraint the shield uses to jam a packet. Specif-
ically, the IMD requires that all bits be correct to pass a checksum,
This simplified view reveals an intrinsic tradeoff between the SINR
3
at the shield and the adversary, and hence their BERs. To increase For example, the FCC ID LF5MICS refers to Medtronic IMDs we tested.
while the shield tolerates some differences (up to bthresh bits) be- Shield
tween the identifying sequence and the received one. We describe
our empirical method of choosing bthresh in 10.1(c). 10
6
IMD

(c) Customizing for the MICS band: It is important to realize that 2


Adversary
the shield can listen to the entire 3 MHz MICS band, transmit in
5

all or any subset of the channels in this band, and further continue 3
1

6.92 in
4
to listen to the whole band as it is transmitting in any subset of the 11
9
7

channels. It is fairly simple to build such a device by making the 8

radio front end as wide as 3 MHz and equipping the device with 12

per-channel filters. This enables the shield to process the signals 13


14

from all channels in the MICS band simultaneously. 18

The shield uses this capability to monitor the entire 3 MHz MICS 16 15 17

band because an adversary can transmit to the IMD on any channel 8.92
8. 9 in
n

in the band. This monitoring allows the shield to detect and counter Figure 6Testbed setup showing shield, IMD, and adversary lo-
adversarial transmissions even if the adversary uses frequency hop- cations. We experiment with 18 adversary locations, numbered here
ping or transmits in multiple channels simultaneously to try to con- in descending order of received signal strength at the shield.
fuse the shield. The shield jams any given 300 KHz channel if the
channel contains a signal that matches the constraints described in Our design for a two-antenna jammer-cum-receiver requires the
the active jamming algorithm. receive antenna to be always connected to both a transmit and a
(d) Complying with FCC rules: The shield must adhere to the receive chain. To enable the shields receive antenna to transmit
FCC power limit even when jamming an adversary. However, as and receive simultaneously, we turn off the USRP RX/TX switch,
explained in 3, a sophisticated adversary may use a transmission which leaves both the transmit and receive chains connected to the
power much higher than the FCC limit. In such cases, the adver- antenna all the time. Specifically, we set atr_txval=MIX_EN
sary will be able to deliver its packet to the IMD despite jamming. and atr_rxval=ANT_SW in the TX chain, and we set
However, the shield is still useful because it can detect the high- atr_txval=MIX_EN and atr_rxval=MIX_EN in the RX
powered adversary in real time and raise an alarm to attract the chain, in the USRP2s firmware and FPGA code. Finally, we equip
attention of the patient or a caregiver. Such alarms may be similar the shield with FSK modulation and demodulation capabilities so
to a cell phone alarm, i.e., the shield may beep or vibrate. It is de- that it can communicate with an IMD.
sirable to have a low false positive rate for such an alarm. To that
end, we calibrate the shield with an IMD to find the minimum ad- 9. TESTING ENVIRONMENT
versarial transmit power that can trigger a response from the IMD Our experiments use the following devices:
despite jamming. We call this value Pthresh . When the shield detects
a potentially adversarial transmission, it checks whether the signal Medtronic Virtuoso DR implantable cardiac defibrillators
power exceeds Pthresh , in which case it raises an alarm. (ICDs) [37].
Finally, we note that when the shield detects a high-powered ac- A Medtronic Concerto cardiac resynchronization therapy device
tive adversary, it also considers the possibility that the adversary (CRT) [36].
will send a message that triggers the IMD to send its private data. A Medtronic Vitatron Carelink 2090 Programmer [35].
In this case, the shield applies the passive jamming algorithm: in USRP2 software radio boards [9].
addition to jamming the adversarys high-powered message, it jams
the medium afterward as detailed in 6. In our in vitro experiments, the ICD and CRT play the role of the
protected IMD. The USRP devices play the roles of the shield, the
(e) Battery life of the shield: Since jamming consumes power, one adversary, and legitimate users of the MICS band. We use the pro-
may wonder how often the shield needs to be charged. In the ab- grammer off-line with our active adversary; the adversary records
sence of attacks, the shield jams only the IMDs transmissions, and the programmers transmissions in order to replay them later. Ana-
hence transmits approximately as often as the IMD. IMDs are typ- log replaying of these captured signals doubles their noise, reducing
ically nonrechargeable power-limited devices that do not transmit the adversarys probability of success, so the adversary demodu-
frequently [11]. Thus, in this mode of operation, we do not expect lates the programmers FSK signal into the transmitted bits to re-
the battery of the shield to be an issue. When the IMD is under an move the channel noise. The adversary then re-modulates the bits
active attack, the shield will have to transmit as often as the adver- to obtain a clean version of the signal to transmit to the IMD.
sary. However, since the shield transmits at the FCC power limit Fig. 6 depicts the testing setup. To simulate implantation in a hu-
for the MICS band, it can last for a day or longer even if transmit- man, we followed prior work [22] and implanted each IMD beneath
ting continuously. For example, wearable heart rate monitors that 1 cm of bacon, with 4 cm of 85% lean ground beef packed under-
continuously transmit ECG signals can last 2448 hours [57]. neath. We placed the shield next to the IMD on the bacons surface
to simulate a necklace. We varied the adversarys location between
8. IMPLEMENTATION 20 cm and 30 m, as shown in the figure.
We implement a proof-of-concept prototype shield with GNU
Radio and USRP2 hardware [9, 16]. The prototype uses the USRPs 10. EVALUATION
RFX400 daughterboards, which operate in the MICS band [13]. We evaluate our prototype of a shield against commercially avail-
The USRP2 does not support multiple daughterboards on the same able IMDs. We show that the shield effectively protects the con-
motherboard, so we implement a two-antenna shield with two fidentiality of the IMDs messages and defends the IMD against
USRP2 radio boards connected via an external clock [25] so that commands from unauthorized parties. We experiment with both the
they act as a single node. The two antennas are placed right next to Virtuoso ICD and the Concerto CRT. However, since the two IMDs
each other. did not show any significant difference, we combine the experimen-
1 0.6

BER at the Adversary


0.8 0.5
0.4
0.6 BER = 0.5
CDF

0.3
0.4
0.2
0.2 0.1
0 0
20 22 24 26 28 30 32 34 36 38 40 0 5 10 15 20 25
Nulling of the Jamming Signal (dB) Jamming Power relative to IMD Power (dB)
(a) Adversarys BER vs. jamming power
Figure 7Antenna cancellation: The antidote signal reduces the
jamming signal by 32 dB on average. 0.2

Packet Loss at Shield


0.15
tal results from both devices and present them together. Our results
0.1
can be summarized as follows.
0.05 PER = 0.002
In practice, our antenna cancellation design can cancel about
32 dB of the jamming signal at the receive antenna (10.1(a)). 0
This result shows that our design achieves similar performance 0 5 10 15 20 25
to the antenna cancellation algorithm proposed in prior work [3], Jamming Power relative to IMD Power (dB)
but without requiring a large antenna separation.
(b) Shields PER vs. jamming power
Setting the shields jamming power 20 dB higher than the IMDs
received power allows the shield to achieve a high bit error rate at Figure 8Tradeoff between BER at the eavesdropper and reli-
adversarial locations while still being able to reliably decode the able decoding at the shield: If the shield sets its jamming power
IMDs transmissions (10.1(b)). The shields increased power 20 dB higher than the power it receives from the IMD, it can en-
still complies with FCC rules in the MICS band since the trans- sure that an eavesdropper sees a BER around 50% (a)effectively
mit power of implanted devices is 20 dB less than the transmit reducing the eavesdropper to guessingwhile keeping the packet
power for devices outside the body [40, 41]. loss rate (PER) at the shield as low as 0.2% (b).
With the above setting, the bit error rate at a passive eavesdrop-
per is nearly 50% at all tested locationsi.e., an eavesdropping algorithm introduced in this paper achieves similar performance to
adversarys decoding efforts are no more effective than random the antenna cancellation algorithm proposed by Choi et al. [3], but
guessing. Further, even while jamming, the shield can reliably without requiring a large antenna separation.4
decode the IMDs packets with a packet loss rate less than 0.2%. (b) Tradeoffs between eavesdropper error and shield error: The
We conclude that the shield and the IMD share an information aforementioned 32 dB of cancellation at the shields receive an-
channel inaccessible to other parties (10.2). tenna naturally sets an upper bound on the jamming power: if the
When the shield is present and active, an adversary using off- residual error after jamming cancellation is too high, the shield will
the-shelf IMD programmers cannot elicit a response from the fail to decode the IMDs data properly.
protected IMD even from distances as small as 20 cm. A more To explore the tradeoff between the error at the shield and the er-
sophisticated adversary that transmits at 100 times the shields ror at an eavesdropper, we run the following experiment. We place
power successfully elicits IMD responses only at distances less the IMD and the shield at their marked locations in Fig. 6, and we
than 5 meters, and only in line-of-sight locations. Further, the place a USRP eavesdropper 20 cm away from the IMD at loca-
shield detects these high-powered transmissions and raises an tion 1. In each run of the experiment, the shield repeatedly trig-
alarm. We conclude that the shield significantly raises the bar gers the IMD to transmit the same packet. The shield also uses its
for such high-powered adversarial transmissions (10.3). jammer-cum-receiver capability to simultaneously jam and decode
the IMDs packets. The eavesdropper tries to decode the IMD pack-
10.1 Micro-Benchmark Results ets, in the presence of jamming, using an optimal FSK decoder [38].
In this section, we calibrate the parameters of the shield and ex- Fig. 8(a) plots the eavesdroppers BER as a function of the
amine the performance of its components. shields jamming power. Since the required jamming power natu-
(a) Antenna cancellation: We first evaluate the performance of the rally depends on the power of the jammed IMDs signal, the x-axis
antenna cancellation algorithm in 5, in which the shield sends an reports the shields jamming power relative to the power of the sig-
antidote signal to cancel the jamming signal on its receive antenna. nal it receives from the IMD. The figure shows that if the shield
In this experiment, the shield transmits a random signal on its sets its jamming power 20 dB higher than the power of the signal it
jamming antenna and the corresponding antidote on its receive an- receives from the IMD, the BER at an eavesdropper is 50%, which
tenna. In each run, it transmits 100 Kb without the antidote, fol- means the eavesdroppers decoding task is no more successful than
lowed by 100 Kb with the antidote. We compute the received power random guessing.
at the receive antenna with and without the antidote. The difference Next, we check that the above setting allows the shield to reliably
in received power between the two trials is the amount of jamming decode the IMDs packets. As above, Fig. 8(b) plots the shields
cancellation resulting from the transmission of the antidote. packet loss rate as a function of its jamming power relative to the
Fig. 7 shows the CDF of the amount of cancellation over multiple 4
runs of the experiment. It shows that the average reduction in jam- Choi et al. [3] also combine antenna cancellation with analog and digital cancella-
tion to obtain a total cancellation of 60 dB at the receive antenna. However, we show
ming power is about 32 dB. The figure also shows that the variance in 10.2 that for our purposes, a cancellation of 32 dB suffices to achieve our goal of
of this value is small. This result shows that the antenna cancellation high reliability at the shield and nearly 50% BER at the adversary.
Pthresh : Adversary power Minimum 11.1 dBm
1
that elicits IMD response Average 4.5 dBm
Standard Deviation 3.5 dBm 0.8

Table 1Adversarial RSSI that elicits IMD responses despite the 0.6

CDF
shields jamming. 0.4
0.2
power of the signal it receives from the IMD. The figure shows
that if the shields jamming power is 20 dB higher than the IMDs 0
power, the packet loss rate is no more than 0.2%. We conclude that 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
this jamming power achieves both a high error rate at the eaves- BER at the Adversary
dropper and reliable decoding at the shield. Figure 9CDF of an eavesdroppers BER over all eavesdrop-
We note that the shields increased power, described above, still per locations in Fig. 6: At all locations, the eavesdroppers BER
complies with FCC rules on power usage in the MICS band because is nearly 50%, which makes its decoding task no more successful
the transmit power of implanted devices is 20 dB less than the max- than random guessing. The low variance in the CDF shows that an
imum allowed transmit power for devices outside the body [40, 41]. eavesdroppers BER is independent of its location.
(c) Setting the jamming parameters: Next we calibrate the jam- 1
ming parameters for countering active adversaries. The shield must
0.8
jam unauthorized packets sent to the IMD it protects. It must jam
these packets even if it receives them with some bit errors, because 0.6

CDF
they might otherwise be received correctly at the IMD. We there-
0.4
fore empirically estimate an upper bound, bthresh , on the number of
bit flips an IMD accepts in an adversarys packet header. The shield 0.2
uses this upper bound to identify packets that must be jammed. 0
To estimate bthresh , we perform the following experiment. First, 0 0.005 0.01 0.015 0.02 0.025
a USRP transmits unauthorized commands to the IMD to trigger Packet Loss at the Shield
it to send patient data. We repeat the experiment for all locations
in Fig. 6. The shield stays in its marked location in Fig. 6, but its Figure 10Packet loss at the shield: When the shield is jamming,
jamming capability is turned off. However, the shield logs all of the it experiences an average packet loss rate of only 0.2% when re-
ceiving the IMDs packets. We conclude that the shield can reliably
packets transmitted by the IMD as well as the adversarial packets decode the IMDs transmissions despite jamming.
that triggered them. We process these logs offline and, for packets
that successfully triggered an IMD response despite containing bit
IMDs transmissions from an eavesdropper regardless of the eaves-
errors, we count the number of bit flips in the packet header. Our
droppers location.
results show that it is unlikely that a packet will have bit errors at
For the same experiment, Fig. 10 plots a CDF of the packet loss
the shield but still be received correctly by the IMD. Out of 5000
rate of IMD-transmitted packets at the shield. Each point on the
packets, only three packets showed errors at the shield but still trig-
x-axis refers to the packet loss rate over 1000 IMD packets. The
gered a response from an IMD. The maximum number of bit flips
average packet loss rate is about 0.2%, considered low for wireless
in those packets was 2, so we conservatively set bthresh = 4.
systems [8]. Such a low loss rate is due to two factors. First, we
Next, we measure Pthresh , the minimum adversary RSSI at the
locate the shield fairly close to the IMD, so it receives the IMDs
shield that can elicit a response from the IMD in the presence of
signal at a relatively high SNR. Second, the jamming cancellation
jamming. To do so, we fix the location of the IMD and the shield
is sufficient to maintain a high SNR that ensures a low packet loss
as shown in Fig. 6. Again we use a USRP that repeatedly sends
rate. We conclude that the shield can decode the IMDs packets
a command to trigger the IMD to transmit. We fix the adversary in
reliably, even while jamming.
location 1 and vary its transmit power. Table 1 reports the minimum
and average RSSI at the shields receive antenna for all packets that 10.3 Protecting from Active Adversaries
succeeded in triggering the IMD to transmit. We set Pthresh 3 dB
We distinguish between two scenarios representing different lev-
below the minimum RSSI in the table and use that value for all
els of adversarial sophistication. In the first, we consider scenarios
subsequent experiments.
in which the adversary uses an off-the-shelf IMD programmer to
send unauthorized commands to the IMD. In the second, a more so-
10.2 Protecting from Passive Adversaries phisticated adversary reverse-engineers the protocol and uses cus-
To evaluate the effectiveness of the shields jamming, we run an tom hardware to transmit with much higher power than is possible
experiment in which the shield repeatedly triggers the IMD to trans- in the first scenario.
mit the same packet. The shield also uses its jammer-cum-receiver
capability to jam the IMDs packets while it decodes them. We set (a) Adversary that uses a commercial IMD programmer: The
the shields jamming power as described in 6. In each run, we po- simplest way an adversary can send unauthorized commands to an
sition an eavesdropper at a different location shown in Fig. 6 and IMD is to obtain a standard IMD programmer and use its built-in
make the IMD send 1000 packets. The eavesdropping adversary radio. Since commercial programmers abide by FCC rules, in this
attempts to decode the IMDs packets using an optimal FSK de- scenario, the adversarys transmission power will be comparable to
coder [38]. We record the BER at the eavesdropper and the packet that of the shield.
loss rate at the shield. Using an IMD programmer we obtained via a popular auction
Fig. 9 plots a CDF of the eavesdroppers BER taken over all website, we play the role of such an active adversary. We use the
locations in Fig. 6. The CDF shows that the eavesdroppers BER setup in Fig. 6, fixing the IMDs and shields locations and trans-
is nearly 50% in all tested locations. We conclude that our design mitting unauthorized commands from all the marked locations. As
of the shield achieves the goal of protecting the confidentiality of shown in the figure, we experiment with both line-of-sight and non-
Probability the IMD Changes Treatment
1 1 1 1 1 1
0.94 1 1 1 1 1 0.95
Probability the IMD Replies Shield Absent Shield Absent
Shield Present 0.84 Shield Present
0.77 0.78
0.8 0.8 0.70
0.59
0.6 0.6

0.4 0.4

0.2 0.2
0.01 0.02 0.01
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Location Location

Figure 11Without the shield, triggering an IMD to transmit and Figure 12Without the shield, an adversary using an off-the-shelf
deplete its battery using an off-the-shelf IMD programmer succeeds programmer to send unauthorized commands (in this case, to mod-
with high probability. With the shield, such attacks fail. ify therapy parameters) succeeds with high probability. The shield
materially decreases the adversarys ability to control the IMD.
line-of-sight locations as well as nearby (20 cm) and relatively far
locations (30 m). rized commands that trigger the IMD to transmit and those that
To test whether the shields jamming is effective against unautho- change its therapy parameters, we show results only for the therapy
rized commands, regardless of which unauthorized command the modification command.
adversary chooses to send, we experiment with two types of ad- Fig. 13 shows the results of this experiment in terms of the ob-
versarial commands: those that trigger the IMD to transmit its data served probability of adversarial success, with the shield both on
with the objective of depleting its battery, and those that change and off. It also shows the observed probability that the shield raises
the IMDs therapy parameters. In each location, we play each com- an alarm, which is how the shield responds to a high-powered
mand 100 times with the shield on and 100 times with the shield off. (above Pthresh ) adversarial transmission. The figure further shows:
After each attempt, we check whether the command was successful. When the shield is off, the adversarys increased transmission
To determine whether the first type of command was successful power allows it to elicit IMD responses from as far as 27 meters
i.e., whether it elicited a replywe sandwiched a USRP observer (location 13) and from non-line-of-sight locations.
along with the IMD between the two slabs of meat. To allow the When the shield is on, the adversary elicits IMD responses only
USRP observer to easily check whether the IMD transmitted in from nearby, line-of-sight locations. Thus, the shields presence
response to the adversarys command, we configure the shield to raises the bar even for high-powered adversaries.
jam only the adversarys packets, not the packets transmitted by the Whenever the adversary elicits a response from the IMD in the
IMD. To determine whether a therapy modification command was presence of the shield, the shield raises an alarm. The shield also
successful, we use the IMD programmer to read the therapy param- raises an alarm in response to unsuccessful adversarial transmis-
eters before and after the attempt. sions that are high powered and emanate from nearby locations
Fig. 11 and Fig. 12 show the results of these experiments. They (e.g., location 6). While this conservative alert results in false
plot the probability that adversarial commands succeed with the positives, we believe it is reasonable to alert the patient that an
shield off (absent) and on (present), each as a function of adver- adversary is nearby and may succeed at controlling the IMD.
sary locations. The locations are ordered by decreasing SNR at the
USRP observer. The figures show the following:

When the shield is off, adversaries located up to 14 meters


11. COEXISTENCE
away (location 8) from the IMDincluding non-line-of-sight We investigate how the presence of a shield affects other legit-
locationscan change the IMDs therapy parameters or cause imate users of the medium. As explained in 2, the FCC rules for
the IMD to transmit its private data using precious battery en- medical devices in the MICS band require such devices to monitor a
ergy, in contrast to past work in which the adversarial range is candidate channel for 10 ms and avoid using occupied channels. As
limited to a few centimeters [22]. We attribute this increased a result, two pairs of honest medical devices are unlikely to share
adversarial range to recent changes in IMD design that enable the same 300 KHz channel. We focus our evaluation on coexistence
longer-range radio communication (MICS band) meant to sup- with the meteorological devices that are the primary users of the
port remote monitoring and a larger sterile field during surgery. MICS band (and hence can transmit even on occupied channels).
When the shield is on, it successfully prevents the IMD from In this experiment, we position the IMD and the shield in the
receiving adversarial commands as long as the adversary uses a locations marked on Fig. 6. We make a USRP board alternate be-
device that obeys FCC rules on transmission powereven when tween sending unauthorized commands to the IMD and transmit-
the adversary is as close as 20 cm. ting cross-traffic unintended for the IMD. The cross-traffic is mod-
There is no statistical difference in success rate between com- eled after the transmissions of meteorological devices, in particular
mands that modify the patients treatment and commands that a Vaisala digital radiosonde RS92-AGP [1] that uses GMSK modu-
trigger the IMD to transmit private data and deplete its battery. lation. For each of the adversary positions in Fig 6, we make the
USRP alternate between one packet to the IMD and one cross-
(b) High-powered active adversary: Next, we experiment with traffic packet. The shield logs all packets it detects and reports
scenarios in which the adversary uses custom hardware to transmit which of them it jammed.
at 100 times the shields transmit power. The experimental setup is Post-processing of the shields log showed that the shield did
similar to those discussed above; specifically, we fix the locations not jam any of the cross-traffic packets, regardless of the transmit-
of the IMD and the shield and vary the high-powered adversarys ters location. In contrast, the shield jammed all of the packets that
position among the numbered locations in Fig. 6. Each run has two it detected were addressed to the IMD; see Table 2. Further, our
phases: one with the shield off and another with the shield on. Since software radio implementation of the shield takes 270 23 s af-
we found no statistical difference in success rate between unautho- ter an adversary stops transmitting to turn around and stop its own
0.89

0.87
1 1 1 1 1 0.98 1 0.92 1 1 1
1 0.92 Prob. Shield Raises Alarm

0.74

0.72
Prob. IMD responds, Shield Absent
0.8 Prob. IMD responds, Shield Present
Probability
0.6

0.3
0.4

0.1
0.2 0.1

0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Location
Figure 13High-powered adversary: Without the shield, an adversary transmitting at 100 times the shields power can change the IMDs
therapy parameters even from non-line-of-sight locations up to 27 m away. With the shield, the adversary is successful only from line-of-sight
locations less than 5 m away, and the shield raises an alarm.

Cross-Traffic 0 but differs from it in that our jammer can transmit and receive at
Probability of Jamming
Packets that trigger IMD 1 the same time; this allows it to decode IMD messages while pro-
Average 270 s tecting their confidentiality.
Turn-around Time
Standard Deviation 23 s Our work is related to prior work on physical-layer information-
theoretic security. Past work in this area has shown that if the chan-
Table 2Coexistence results: Jamming behavior and turn-around nel to the receiver is better than the channel to an eavesdropper, the
time in the presence of simulated meteorological cross-traffic.
sender-receiver pair can securely communicate [5, 52, 54]. Also,
our prior work proposes iJam, an OFDM-based technique that jams
transmissions. This delay is mainly due to the shields being im- while receiving to prevent unauthorized receivers from obtaining
plemented in software. A hardware implementation would have a a protected signal [20]. iJam, however, is not applicable to IMDs
more efficient turn-around time of tens of microseconds. (Note, for because it relies on the intrinsic characteristics of OFDM signals,
example, that a 802.11 card can turn around in a SIFS duration of which differ greatly from IMDs FSK signals. Further, iJam re-
10 s.) The low turn-around time shows that the shield does not quires changes to both the transmitter and receiver, and hence does
continuously jam the medium (thereby denying others access to it). not immediately apply to IMDs that are already implanted.
Finally, our work also builds on past work on full-duplex ra-
12. RELATED WORK dio [3, 7, 4]. Ours, however, differs from all past works in that it
Recent innovations in health-related communication and net- is the first to demonstrate the value of using full-duplex radios for
working technologies range from low-power implantable radios security. Furthermore, we implement a radio where the antennas
that harvest body energy [27] to medical sensor networks for in- are placed next to each other so that it can be built as a small device
home monitoring and diagnosis [51, 55]. Past work has also studied and show both empirically and analytically that our design secures
the vulnerabilities of these systems and proposed new designs that IMDs using only 30 dB cancellation which is significantly less than
could improve their security [21, 22]. Our work builds on this foun- the 60-80 dB cancellation required by prior work [7, 3].
dation, but it differs from all past works in that it presents the first
system that defends existing commercial IMDs against adversaries
who eavesdrop on transmissions or send unauthorized commands. 13. CONCLUSION
Our design is motivated by the work of Halperin et al., who The influx of wireless communication in medical devices brings
analyzed the security properties of an implantable cardiac device a number of domain-specific problems that require the expertise of
and demonstrated its vulnerability to adversarial actions that com- both the wireless and security communities. This paper addresses
promise data confidentiality or induce potentially harmful heart the problem of communication security for implantable medical de-
rhythms [21, 22]. They also suggested adding passively powered vices. The key challenge in addressing this problem stems from the
elements to implantable devices to allow them to authenticate their difficulty of modifying or replacing implanted devices. We present
interlocutors. Along similar lines, Denning et al. propose a class of the design and implementation of a wireless physical-layer solution
devices called cloakers that would share secret keys with IMDs [6]; that delegates the task of protecting IMD communication to an ex-
an IMD would attempt to detect an associated cloakers presence ternal device called the shield. Our evaluation shows that the shield
either periodically or when presented with an unknown program- effectively provides confidentiality for IMDs transmitted data and
mer. Unlike these three proposals, our technique does not require shields IMDs from unauthorized commands, both without requiring
cryptographic methods and is directly applicable to IMDs that are any changes to the IMDs themselves.
already implanted.
Other work has focused on the problem of key distribution for Acknowledgments: We thank Arthur Berger, Ramesh Chandra, Rick
cryptographic security. Cherukuri et al. propose using consistent Hampton, Steve Hanna, Dr. Daniel Kramer, Swarun Kumar, Nate Kush-
man, Kate Lin, Hariharan Rahul, Stefan Savage, Keith Winstein, and Nick-
human biometric information to generate identical secret keys at
olai Zeldovich for their insightful comments. The authors acknowledge the
different places on a single body [2]. Schechter suggests that key financial support of the Interconnect Focus Center, one of the six research
material could be tattooed onto patients using ultraviolet micro- centers funded under the Focus Center Research Program, a Semiconduc-
pigmentation [48]. tor Research Corporation program. This research is also supported by NFS
Our work builds on a rich literature in wireless communica- CNS-0831244, an NSF Graduate Research Fellowship, a Sloan Research
tion. Specifically, past work on jamming focuses on enabling wire- Fellowship, the Armstrong Fund for Science, and Cooperative Agreement
No. 90TR0003/01 from the Department of Health and Human Services. Its
less communication in the presence of adversarial jamming [29,
contents are solely the responsibility of the authors and do not necessarily
42]. Some past work, however, has proposed to use friendly jam- represent the official views of the DHHS or NSF. K. Fu is listed as an inven-
ming to prevent adversarial access to RFID tags, sensor nodes, and tor on patent applications pertaining to zero-power security and low-power
IMDs [33, 44, 56]. Our work is complementary to this past work flash memory both with assignee UMass.
14. REFERENCES Jamming-resistant wireless broadcast communication. In Proc. IEEE
INFOCOM, 2010.
[1] J. kerberg. State-of-the-art radiosonde telemetry. In Proc. Symp. [30] J. Lopatka. Adaptive generating of the jamming signal. In Proc. IEEE
Integrated Observing and Assimilation Systems for Atmosphere, Military Communications Conference (MILCOM), 1995.
Oceans, and Land Surface. American Meterological Society, 2004. [31] W. H. Maisel. Safety issues involving medical devices: Implications
[2] S. Cherukuri, K. K. Venkatasubramanian, and S. K. S. Gupta. Biosec: of recent implantable cardioverter-defibrillator malfunctions. Journal
A biometric based approach for securing communication in wireless of the American Medical Association, 2005.
networks of biosensors implanted in the human body. In [32] W. H. Maisel and T. Kohno. Improving the security and privacy of
International Conference on Parallel Processing Workshops, 2003. implantable medical devices. New England Journal of Medicine,
[3] J. Choi, M. Jain, K. Srinivasan, P. Levis, and S. Katti. Achieving 362(13):11641166, 2010.
single channel, full duplex wireless communication. In Proc. ACM [33] I. Martinovic, P. Pichota, and J. Schmitt. Jamming for good: A fresh
MobiCom, 2010. approach to authentic communication in WSNs. In Proc. ACM Conf.
[4] J. Choi, M. Jain, K. Srinivasan, P. Levis, and S. Katti. A working on Wireless Network Security (WiSec), 2009.
single channel, full duplex wireless system. In Mobicom Demo, 2010. [34] Medtronics Paradigm Veo wireless insulin pump helps prevent
[5] I. Csiszar and J. Korner. Broadcast channels with confidential hypoglycemia. MedGadgetInternet Journal for emerging medical
messages. IEEE Trans. Inf. Theory, 24(3):339348, 1978. technologies, 2009.
[6] T. Denning, K. Fu, and T. Kohno. Absence makes the heart grow [35] Medtronic Inc. CareLink Programmer. http://www.medtronic.com/.
fonder: New directions for implantable medical device security. In [36] Medtronic Inc. Concerto II CRT-D digital implantable cardioverter
Proc. USENIX Workshop on Hot Topics in Security (HotSec), 2008. defibrillator with cardiac resynchronization therapy.
[7] M. Duarte and A. Sabharwal. Full-duplex wireless communications http://www.medtronic.com/.
using off-the-shelf radios: Feasibility and first results. In Asilomar [37] Medtronic Inc. Virtuoso DR/VR implantable cardioverter
Conference on Signals, Systems, and Computers, 2010. defibrillator systems. http://medtronic.com/.
[8] D. Eckhardt and P. Steenkiste. Measurement and analysis of the error [38] H. Meyr, M. Moeneclaey, and S. A. Fechtel. Digital Communication
characteristics of an in-building wireless network. In Proc. ACM Receivers: Synchronization, Channel Estimation, and Signal
SIGCOMM, 1996. Processing. Wiley, 1998.
[9] Ettus Inc. Universal Software Radio Peripheral. http://ettus.com/. [39] D. Panescu. Wireless communication systems for implantable
[10] European Telecommunications Standard Institute. ETSI EN 301 medical devices. IEEE Eng. in Medicine and Biology Mag., 2008.
839-1 V1.3.1, 2009. [40] PCTest Engineering Labs, Inc. Certificate of compliance, fcc part 95
[11] C. Falcon. Inside implantable devices. Medical Design Tech., 2004. certification, test report number: 95.220719375.lf5, 2002.
[12] Federal Communications Commission. FCC ID number search. [41] PCTest Engineering Labs, Inc. Certificate of compliance, fcc part 95
http://www.fcc.gov/searchtools.html. and en 301 839-2, test report number: 0703090168.med, 2007.
[13] Federal Communications Commission. MICS Medical Implant [42] C. Ppper, M. Strasser, and S. Capkun. Jamming-resistant broadcast
Communication Services, FCC 47CFR95.601-95.673 Subpart E/I communication without shared keys. In USENIX Security Sym., 2009.
Rules for MedRadio Services. [43] B. Radunovic, D. Gunawardena, P. Key, A. Proutiere, N. Singh, H. V.
[14] K. Fu. Inside risks: Reducing the risks of implantable medical Balan, and G. Dejean. Rethinking indoor wireless: Low power, low
devices: A prescription to improve security and privacy of pervasive frequency, full-duplex. Technical report, Microsoft Research, 2009.
health care. Communications of the ACM, 52(6):2527, 2009. [44] M. Rieback, B. Crispo, and A. Tanenbaum. RFID Guardian: A
[15] K. Fu. Trustworthy medical device software. In Public Health battery-powered mobile device for RFID privacy management. In
Effectiveness of the FDA 510(k) Clearance Process: Measuring Proc. Australasian Conf. on Information Security and Privacy, 2005.
Postmarket Performance and Other Select Topics: Workshop Report. [45] D. Sagan. Rf integrated circuits for medical applications: Meeting the
IOM (Institute of Medicine), National Academies Press, 2011. challenge of ultra low power communication. Zarlink Semiconductor.
[16] GNU Radio. http://gnuradio.org/. http://stf.ucsd.edu/presentations.
[17] A. Goldsmith. Wireless Communications. Cambridge University [46] N. Santhapuri, R. R. Choudhury, J. Manweiler, S. Nelakuduti, S. Sen,
Press, 2005. and K. Munagala. Message in message mim: A case for reordering
[18] S. Gollakota, F. Adib, D. Katabi, and S. Seshan. Clearing the RF transmissions in wireless networks. In ACM HotNets-VII, 2008.
smog: Making 802.11 robust to cross-technology interference. In [47] K. Sayrafian-Pour, W. Yang, J. Hagedorn, J. Terrill, K. Yazdandoost,
ACM SIGCOMM, 2011. and K. Hamaguchi. Channel models for medical implant
[19] S. Gollakota, N. Ahmed, N. Zeldovich, and D. Katabi. Secure communication. Inter. Journal of Wireless Info. Networks, 2010.
in-band wireless pairing. In USENIX Security Sym., 2011. [48] S. Schechter. Security that is meant to be skin deep: Using ultraviolet
[20] S. Gollakota and D. Katabi. Physical layer security made fast and micropigmentation to store emergency-access keys for implantable
channel-independent. In Proc. IEEE INFOCOM, 2011. medical devices. In USENIX Workshop HealthSec, 2010.
[21] D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H. [49] M. Scheffler, E. Hirt, and A. Caduff. Wrist-wearable medical devices:
Maisel. Security and privacy for implantable medical devices. IEEE Technologies and applications. Medical Device Technology, 2003.
Pervasive Computing, 7(1), 2008. [50] C. E. Shannon. Communication theory of secrecy systems. Bell
[22] D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, System Technical Journal, 28(4):656715, 1949.
B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. [51] V. Shnayder, B. Chen, K. Lorincz, T. R. F. Fulford-Jones, and
Pacemakers and implantable cardiac defibrillators: Software radio M. Welsh. Sensor networks for medical care. Technical Report
attacks and zero-power defenses. In Proc. IEEE Symposium on TR-08-05, Harvard University, 2005.
Security and Privacy, 2008. [52] M. J. Siavoshani, U. Pulleti, E. Atsan, I. Safaka, C. Fragoulia,
[23] Industry Canada. Radio Standards Specification RSS-243: Medical K. Argyraki, and S. Diggavi. Exchanging secrets without using
Devices Operating in the 401406 MHz Frequency Band. Spectrum cryptography. arXiv:1105.4991v1, 2011.
Management and Telecommunications, 2010. [53] D. Tse and P. Vishwanath. Fundamentals of Wireless
[24] International Telecommunications Union. ITU-R Recommendation Communications. Cambridge University Press, 2005.
RS.1346: Sharing between the meteorological aids service and [54] A. Wyner. The wire-tap channel. Bell Sys. Technical Journal, 1975.
medical implant communication systems (MICS) operating in the [55] S. Xiao, A. Dhamdhere, V. Sivaraman, and A. Burdett. Transmission
mobile service in the frequency band 401406 MHz, 1998. power control in body area sensor networks for healthcare
[25] Jackson Labs. Fury GPSDO. http://www.jackson-labs.com/. monitoring. IEEE Journal on Selected Areas in Comm., 2009.
[26] W. C. Jakes. Microwave Mobile Communications. Wiley, 1974. [56] F. Xu, Z. Qin, C. C. Tan, B. Wang, and Q. Li. IMDGuard: Securing
[27] M. Koplow, A. Chen, D. Steingart, P. Wright, and J. Evans. Thick implantable medical devices with the external wearable guardian. In
film thermoelectric energy harvesting systems for biomedical Proc. IEEE INFOCOM, 2011.
applications. In Proc. Symp. Medical Devices and Biosensors, 2008. [57] Zephyr Inc. BioHarness BT. http://www.zephyr-technology.com.
[28] C. Kuo, J. Walker, and A. Perrig. Low-cost manufacturing, usability [58] C. Zhan, W. B. Baine, A. Sedrakyan, and S. Claudia. Cardiac device
and security: An analysis of bluetooth simple pairing and wi-fi implantation in the US from 1997 through 2004: A population-based
protected setup. In Usable Security Workshop, 2007. analysis. Journal of General Internal Medicine, 2007.
[29] Y. Liu, P. Ning, H. Dai, and A. Liu. Randomized differential DSSS:

Вам также может понравиться